Author: grmrgecko (Page 1 of 13)

Setting up a bridge network for Libvirtd/KVM use

I wanted to setup bridge networking with my main Arch Linux box so that I could connect to virtual machines in KVM. I was using the MACVTAP connection in Libvirtd, however that prevents you from being able to connect to the virtual machines due to the Linux host not knowing how to talk to the MAC addresses of the virtual machines with them being on the same interface card (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_host_configuration_and_guest_installation_guide/app_macvtap). There are hacks to setup a MACVTAP network connection for the host as well, but it is best practice to use a bridged connection instead.

Configuring the Bridge Network

I’m not going to get into complete details here on how to do this, as there are many guides on the internet for doing this. I am, however, going to provide a link to the Arch Wiki with the standard steps for the network tools of your choice, I personally am using Network Manager mainly because it works for me. When researching implementing this configuration, I seem to find a lot of old documentation for CentOS 6/Debian 7 which is not up to date with today’s standards. The Arch Wiki article is reputable and also up to date in this case.

Configuring the Firewall

This was the main problem I ran into when setting up a bridge network, older articles by Red Hat has lead me to the solution which I will provide both how to solve in iptables, and firewalld.

IPTables

iptables -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT

FirewallD

firewall-cmd --permanent --direct --passthrough ipv4 -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
firewall-cmd --reload

The code above is the secret to getting the bridge connection to work within a virtual machine. Without it, DHCP was not working, and manually setting an IP address does not lead to a working interface for IPv4.

Disabling Net Filter

In reviewing implementation of bridging, there always seem to be one change everyone makes to improve performance of bridged networks. And that is to disable the network filter. Doing so is fairly simple, adjust the files below.

/etc/sysctl.d/bridge.conf

net.bridge.bridge-nf-call-ip6tables=0
net.bridge.bridge-nf-call-iptables=0
net.bridge.bridge-nf-call-arptables=0

/etc/udev/rules.d/99-bridge.rules

ACTION=="add", SUBSYSTEM=="module", KERNEL=="bridge", RUN+="/sbin/sysctl -p /etc/sysctl.d/bridge.conf"

You can then run sysctl -p /etc/sysctl.d/bridge.conf manually to load the system configurations.

Final LibvirtD Network Configurations

Now that the bridged network is setup, you can setup the network configuration for your virtual machines. There are two ways to do this, you can setup a shared device name in virt-manager, or you can configure via xml like so:

<interface type="bridge">
  <source bridge="br0"/>
  <mac address="52:00:00:00:00:00"/>
</interface>

Or, you can setup a network in libvirtd as follows to make it an easy selection.

cat > /tmp/br0.xml <<XML
<network>
  <name>br0</name>
  <forward mode="bridge"/>
  <bridge name="br0" />
</network>
XML
virsh net-define /tmp/br0.xml
virsh net-start br0
virsh net-autostart br0
virsh net-list --all

Start your Virtual Machine and you should be good to go!

Building an overkill router

I just built a router which is overkill. I’m going to be using pfSense as the operating system and I’ll have security utilities like Snort running on it to protect my network. The main idea for building this with the specs I went with is I can expand. If I wanted 1Gb/sec, it can handle it. If I wanted 10Gb/sec, I could upgrade with a 10Gb PCIe card. So when you look at specs of other routers being 128MB of storage, 128MB of ram, and 650MHz processors, just remember the main idea of it being overkill.

Specifications:

SSD: 120GB
Ram: 16GB
CPU: 3.2GHz Quad Core I5
Network: Dual Gb Ethernet on mother board
WiFi: Dual Band 2.4/5GHz with AC support
Bluetooth: 4.2

If you want a full list of parts that went into it, visit the following: https://secure.newegg.com/WishList/PublicWishDetail.aspx?WishListNumber=36984228

See lovely photos below which shows how awesome the machine looks.

Image-1 Image-2 Image-3 Image-4 Image-5 Image-6

Secure Passwords

There is a time when regular people need to know how to make secure passwords, I personally wouldn’t use this service as I have no idea if they log the passwords generated with an IP address… They at least generate 3 so they won’t know which one you choose, provide the password over TLS, and they at least provide a good example for people to learn what a good password could look like.

The site is located at https://xkpasswd.net/

If you want to test the strength of the password, you can use https://passwd.gec.im/ and https://www.grc.com/haystack.htm

Calhoun IT Club

I have posted the source code to the website I wrote for the IT Club of Calhoun. It was mostly stuff I just threw together quickly and uses a key stretching algorithm I wrote which will work, but should really be PBKDF2 or something similar.

The website allows for easy modification by someone other than myself as my term for presidency of the IT Club is over and I want to allow future presidents to be able to modify the site to their hearts content.

The site is located at https://it.gec.im/ if you are interested and the source code is located at https://git.gec.im/GRMrGecko/ITClub/tree/master

Error Codes, the way they should be.

I just learned of a site shared by a friend that has error codes that every website should adopt. https://http.cat/ The cat theme goes perfectly with the most important thing to the internet. Now, if you don’t adopt these wonderful cats, do some other funny ones like what I do with my website by putting geckos. Google does something funny as well for error codes, if we all do funny things the internet would be fun.

« Older posts

© 2020 Mr. Gecko's Weblog

Theme by Anders NorenUp ↑